Cisco Systems 2960 User Manual
31-17
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 31 Configuring Network Security with ACLs
Configuring IPv4 ACLs
In this example, the workstation that belongs to Jones is allowed access, and the workstation that belongs
to Smith is not allowed access:
to Smith is not allowed access:
Switch(config)# access-list 1 remark Permit only Jones workstation through
Switch(config)# access-list 1 permit 171.69.2.88
Switch(config)# access-list 1 remark Do not allow Smith through
Switch(config)# access-list 1 deny 171.69.3.13
For an entry in a named IP ACL, use the remark access-list configuration command. To remove the
remark, use the no form of this command.
remark, use the no form of this command.
In this example, the Jones subnet is not allowed to use outbound Telnet:
Switch(config)# ip access-list extended telnetting
Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out
Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet
Applying an IPv4 ACL to a Terminal Line
You can use numbered ACLs to control access to one or more terminal lines. You cannot apply named
ACLs to lines. You must set identical restrictions on all the virtual terminal lines because a user can
attempt to connect to any of them.
ACLs to lines. You must set identical restrictions on all the virtual terminal lines because a user can
attempt to connect to any of them.
Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections
between a virtual terminal line and the addresses in an ACL:
between a virtual terminal line and the addresses in an ACL:
To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line
configuration command.
configuration command.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
line [console | vty] line-number
Identify a specific line to configure, and enter in-line configuration mode.
•
console—Specify the console terminal line. The console port is DCE.
•
vty—Specify a virtual terminal for remote console access.
The line-number is the first line number in a contiguous group that you want
to configure when the line type is specified. The range is from 0 to 16.
to configure when the line type is specified. The range is from 0 to 16.
Step 3
access-class access-list-number
{in | out}
{in | out}
Restrict incoming and outgoing connections between a particular virtual
terminal line (into a device) and the addresses in an access list.
terminal line (into a device) and the addresses in an access list.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Display the access list configuration.
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.